Dimensional Data

Published March 17, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Software security isn’t a state of being, or even a single action; it is a process, and one that requires more than just hardening your software. The year 2020 saw a dramatic rise in cyberattacks, with many attacks specifically targeting IT infrastructure. Any attack that compromises an IT environment interrupts normal operations, which can effectively interrupt critical software operations. Regardless of how secure your software is, if you can’t access critical data or services, your application won’t be available to authorized users. And since availability is one of the “big three” tenets of security, unavailable effectively means insecure. Ensuring software security is an organic and community-driven effort. For the most effective result, focus on actions that provide benefits for your software and its surrounding environment.  The last thing you want to do is constantly put out fires. A better approach is to get ahead of the fires. Learn to anticipate attacks and take proactive measures. Here are some ways to create a balanced threat-handling environment to make your software more secure. Responding to attacks The first step to handling any attack is to recognize that there is an attack being carried out. That may sound simple, but in many cases it isn’t. Non-disruptive attacks like data exfiltration may go unnoticed for months. Security is challenging even under normal circumstances, and the problem of handling attacks is even worse given the pressures of today’s realities.  Organizations of all types were put under more pressure when the new realities of covid-19 changed the way people work and interact. But few sectors were impacted more than healthcare. In addition to changes in the workforce and patient interaction protocols, covid-19 stretched every aspect of delivering quality healthcare. IT service and security concerns were just one part of the bigger problem. And in the midst of all the additional pressure, ransomware attackers sensed an opportunity and launched an unprecedented number of attacks against the healthcare sector. For example, in October 2020, the University of Vermont (UVM) Medical Center suffered a successful ransomware attack that ended up disabling all online systems for several weeks. At first it wasn’t evident that the interruption was an attack, but once the nature of the attack did become clear, UVM personnel searched for nearly two hours before they found a file that contained a note from the attackers. CNN picked up on the alarming statistics and published a story about the UVM Medical Center attack, and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning of the increasing number of ransomware attacks on healthcare organizations. UVM had taken some precautions to harden their systems, but the attackers were still able to succeed. While there is no guaranteed approach that leads to an impenetrable defense, there are ways to make your organization far less vulnerable. There is a constant need to iterate over updated threat information to stay ahead of the attackers. The goal is to approach the problems of security in parallel. If all you do is respond when you receive a new attack alert, you’re […]

Published February 24, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel Few, if any, other repositories for data and meta-data within an organization exceed the importance and value of its databases (DBs). In fact, databases often provide a home for an organization’s personnel information, financial data of all kinds (pay, taxes, purchases, income, and other monetary transactions), and data describing its physical inventory and assets. Thus, it’s not unfair to observe that most of the data that defines “who, what, where, when, and why” for an organization is likely to reside in a database. All of this goes to explain why DB security is vitally important to an organization’s health and its ability to conduct business. Principles that drive DB security are well-understood In the realm of database security, informed professionals understand that while basic security principles definitely apply, they can (and often do) take a database-specific slant. Thus, any enumeration of such principles will often play to the special circumstances involved in defining database metadata (often called a “database schema” to emphasize its scope and coverage for some specific and related collection of data) and in setting up and managing a database engine of some kind (which may be on-premises, in one or more clouds, and various permutations on those themes). That said, here are how some of these basic principles play into the world of database security. 1. Principle of least privilege (aka PLP) In general, PLP means providing the minimum of access rights and user privileges necessary to perform some specific task, run an application, or work with database contents, software or infrastructure elements. As with other PLP situations, periodic review to avoid “privilege creep” (gradual accumulation of more rights and privileges than are really needed) is essential. But in general database designers and database administrators (DBAs) should grant only rights and privileges that users, applications, and services need, and no more than that. 2. Platform hardening Across the board, platform hardening requires a deep understanding of a platforms vulnerabilities and its attack surfaces, so that organizations can take pre-emptive measure to address known potential weaknesses. Among other things this means uninstalling or disabling features or services that you don’t need or use. It also means resolutely enforcing password discipline, especially when it comes to changing well-known passwords and their associated accounts (best to delete them if you don’t use them). Make sure all security controls that the database engine offers are enabled, and set to maximum tolerable levels. Checks on hardening success are covered further in the upcoming “monitoring and auditing” item. 3. Data protection Data and metadata for the database should be encrypted both in motion and at rest (and this applies to backups and snapshots, too). Data and meta-data should include security tags or classifications to permit full-blow security policies and protections to apply. Data protection also includes monitoring its access and use, export and exfiltration, especially wholesale copying activity not readily explained or understood. 4. Monitoring and auditing The old saying goes “If you don’t monitor it, you can’t measure it.” This applies equally to […]

Published February 17, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The year 2020 will go down in history as being a year of uncomfortable changes. Just about everyone was forced to approach aspects of personal and professional life differently, from buying groceries to conducting business to maintaining safe interactions with others.  Fortunately, existing technology and service offerings allowed us to make adjustments and work through the changes. Zoom went from being a useful way of meeting virtually to a staple of business, education and social interactions. Likewise, the financial technology industry, often called fintech, expanded products and services to make contactless financial exchanges safer and more accessible. But as Fintech’s popularity grew in 2020, so did its attack surface. Fintech is the industry that provides individuals and businesses with the technology to carry out financial transactions. If you’ve ever sent someone a payment using Venmo, accepted a payment card using your smartphone, or applied for a loan online, you’ve consumed fintech services. In short, fintech’s goal is to leverage technology to compete with, or even replace, traditional financial services by making them cheaper, easier and more accessible. Smart devices and nearly universal internet access make the process of carrying out financial transactions in a socially distanced environment easy. But to keep fintech’s growth on track, cybersecurity has to stay ahead of the attackers. Fintech companies can’t afford to lose their customers’ trust. Let’s look at the most important cybersecurity trends in fintech that are needed to keep that trust. Technology reliance creates risk Any transition to a greater reliance on technology introduces risk. Additional devices and software can provide opportunities for attackers to find and leverage weaknesses. The COVID-19 pandemic punctuated the importance of touchless and socially distanced interactions. One of the most common pre-COVID-19 close-proximity interactions was paying for products and services. Although touchless and remote payment options were available prior to 2020, the pandemic made touchless payments a welcome feature. The number of suppliers and consumers who used touchless payments for the first time skyrocketed in 2020. Any industry-wide growth naturally attracts cybercriminals to prey on a new group of potential victims. According to a recent Fintech News article, attacks are up across the industry and included a 600% increase in phishing attempts and a 630% increase in cloud-based attacks. One reason for such large jumps is the increased use of personal devices to engage in financial transactions. Personal devices often aren’t managed to be as secure as many legacy devices owned by service providers. In addition to facing increased attack frequencies and veracity, many fintech companies are still in the process of digital transformation. While startups may begin their commercial lives with new infrastructure and software, most fintech companies still rely on some legacy devices and software. Each type, or layer, of software, devices and infrastructure means the potential for security vulnerabilities to exist. While it is possible to upgrade hardware devices with the latest models, software poses a bigger challenge. Even startups go through a software development process that results in code written using outdated standards or best practices. It isn’t possible to write […]

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected over 3,000 SolarWinds customers, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also impacted were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into SolarWinds’s Orion Platform software. This code created a backdoor which later was used to access customers’ networks. Experts believe the attack was instigated by hackers based in Russia who may have managed to access sensitive government data. SUNBURST is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers use a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker use multiple servers based in the US and mimick legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This is an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators remove the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company expresses concern that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovers that SolarWinds had been attacked. They realize that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompts the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they pose a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye discloses that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issues guidance explaining how the attack could affect its customers. The attack receives media coverage for the first time. Reuters reports that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds releases a software fix. The media identifies victims that include the Department of Homeland Security (DHS), the State Department, and […]

Published February 3, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this time of the COVID-19 pandemic, we’re all spending more time on our PCs and smartphones. It might seem odd, but The Business Research Company’s Global Online Gambling Market report asserts that online gambling has skyrocketed in 2020. This is because home-bound punters, blocked from visiting brick-and-mortar gambling dens, are turning to online gambling destinations in droves. This makes protecting games of chance — and their players — against online gambling security threats more important than ever, especially where mobile gambling security is concerned. Online gambling is in hackers’ crosshairs In June 2020, Security Boulevard published a discussion of cybersecurity for the online casino and gambling industry. It exposes a number of clear and present dangers that face online gambling developers and involve more than hack attacks (though those are also quite prevalent). Access to gambling platforms themselves can come under direct attack, but smart attackers also recognize that scamming gamblers is another avenue of more indirect attack. By stealing customer information, attackers can ultimately access their money at far less risk to themselves than a “fair game” of chance. The revenue streams involved can also be quite substantial. Grand View Research estimates the size of the global online gambling industry as $53.7 billion in 2019, and a compound annual growth rate of 11.5% is projected from 2020 to 2027, for a global market size of $127.3 billion by that year. Europe dominated the 2019 market with $22 billion in receipts, but the US appears headed for the top in the short term, with Grand View Research projecting its market size at nearly $103 billion by 2025. The Asian market is also coming on strong, as more online venues that serve its populations keep appearing. Cryptocurrency payments are becoming the norm in gambling apps and applications, as online gambling and casino operators switch to Bitcoin and its various counterparts. From a security standpoint, cryptocurrency is attractive because gamblers need not enter their personal data during deposits, and blockchain systems are nearly hack-proof. In addition, cryptocurrency transaction fees are much smaller (sometimes zero) than for a traditional payment method such as credit or debit cards, bank account access, and so forth. Deposits and withdrawals are faster, too, while maintaining player anonymity. More players means more attack vectors Desktop PCs, with their larger monitors and display areas, still dominate online gambling by user count. But as smartphone size and resolution have increased over the past decade, momentum is shifting toward mobile users. Mobile online gambling applications are looking for traction, with more variety in deposit options for playing funds, loyalty points, and interactive play with others around the globe. Mobile technology continues to exert a massive influence on online gambling. Trends such as social gambling and a proliferation of mobile gambling applications signal oncoming changes in gambling habits and practices. Given that somewhere between a third and half of the global population has ready access to a smartphone, casinos and online gambling organizations are investing ever more heavily in gaming applications, especially […]

Published January 28, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The Kiuwan team is excited to announce the availability of our latest release, with new features for both cloud and on premise customers. Kiuwan is a fast, reliable and scalable Application Security and Enterprise Software Analytics solution. Kiuwan includes several tools for management and development that identify and guide remediation of security vulnerabilities in source code. These tools support the implementation of critical shift-left strategies that many companies desire today. Fluent in major programming languages and frameworks, Kiuwan allows extensions and customization for customer-specific needs and integrates with leading DevOps IDEs and tools, in an on-premise or SaaS model. Support for custom components in Kiuwan Insights As requested by our customers, Kiuwan Insights now supports custom artifacts, allowing the creation and maintenance of custom artifacts along with their associated licenses and vulnerabilities. This allows Kiuwan users to identify the use of custom artifacts stored in their own repositories and to track their use in their development, and signal during Insights analysis vulnerabilities added to the application, license issues, and obsolescence caused by the use of these custom components. Custom components, licenses, and vulnerabilities can be added and modified both through the UI and the REST API. With this new functionality, customers will be able to have a complete view of the components used either public or private, avoiding the need to track custom components out of Kiuwan. Engine tuning pack The Kiuwan engine is able to perform source code analysis on a wide variety of programming languages. It parses source code into memory structures, and these structures are checked with rules to identify quality and security issues. Each customer has their own way of using their languages and libraries, so we rely on continual feedback from our customers in order to continuously improve the quality and performance of our analysis to benefit customers. This engine tuning pack incorporates new cases and includes widely requested small enhancements. Add new detection rules or improve existing rules to find more security vulnerabilities in code Updates to reduce some of the false positives returned by the product Performance improvements Revisions to our security and protection rules for more accurate results Improvements to our discovery elements for Oracle, HTML5, and Javascript allowing for greater security detection Language parsing improvements for more language coverage Update language levels Additional bug fixes and improvements Documentation for this release is available in the product documentation repository. For a full list of additional bug fixes and improvements, refer to our Change Log. How to get the new release The new release is available immediately to our Cloud customers. Access the new version via the customer portal. Customers using the On-Premises version of Kiuwan should reach out to their account representative for an updated license key. Would you like to know more Kiuwan solutions? Get in touch with our Kiuwan team! We love to talk about security.

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected a software company serving over 3,000 companies, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also attacked were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into the firm’s Orion Platform software and using it to access clients’ networks. Experts believe the attack was instigated by hackers based in Russia and may have managed to access sensitive government data. It is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers used a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker used multiple servers based in the US and mimicked legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This was an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators removed the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company was concerned that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovered that SolarWinds had been attacked. They realized that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompted the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they posed a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye disclosed that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issued guidance explaining how the attack could affect its customers. The attack got media coverage for the first time. Reuters reported that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds released a software fix. The media identified victims to include the Department of Homeland Security (DHS), the State Department, and the National […]

Published January 14, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Today’s organizations, both big and small, are finding that security activities consume more resources than ever before. Cyber criminals are getting better all the time, and staying just one step ahead of them is getting harder. But it’s not just more sophisticated criminals; organizational growth, increased infrastructure complexity and expanding compliance requirements also require more time, people and technology to avoid becoming a victim of a cybersecurity breach. Security used to be focused on physical access to facilities and resources, or adding layers of logical controls to protect software and data. However, security concerns of the 21st century don’t fit into nice buckets anymore. Security concerns affect every aspect of an organization’s operations and should be an integral driver of strategic planning. Information security used to be a good idea to include “if there is time.” Then it became more important as cyberattackers became more sophisticated at leveraging vulnerabilities. Now, information security is an integral component organizational strategic viability. It is just as important as fiscal integrity and product quality. Executives have become acutely aware of the impact of poor information security on their organization’s profitability and longevity. A lack of security focus at the executive level could easily result in hefty fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. The risk of undervaluing information security is too great to ignore. To address the growing awareness of information security’s importance to strategic planning, many larger organizations now include a Chief Information Security Officer (CISO) in the executive suite. A CISO provides executive leadership guidance on keeping organizations secure and compliant. But with the average median salary for a CISO being over $200,000, many companies cannot afford their own CISO. The need is still there, but the budget doesn’t allow for a full-time person in that position. However, there is an attractive alternative. Organizations that lack the budget for a CISO are increasingly turning to an outsourced solution: the virtual CISO, or vCISO. Let’s look at what a vCISO does and how one can benefit small and medium-sized businesses. Benefits of a vCISO A vCISO is generally a cybersecurity professional who works part-time offering security services to multiple organizations, working for several throughout any year. This job-sharing approach gives organizations access to a CISO without having to hire one full time. The vCISO fills several needs through different types of services, including: Cybersecurity guidance to executives Security readiness assessment Compliance alignment recommendations (for HIPAA, GDPR, PCI-DSS, CCPA and dozens more) Remediation prioritization Security architecture guidance Incident response Governance Business continuity A vCISO helps organizations transition from viewing security as a tactical requirement to a strategic one. This transition isn’t an easy one without support from the top. That’s the most important role of a vCISO: to solicit and ensure ongoing support of security from the very top of the organization’s leadership. The strategic nature of a vCISO’s approach to security isn’t in contrast to existing security activities or other organizational goals. The vCISO should help ensure […]

Published May 19, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this age of lockdowns, social distancing and working from home, organizations must think carefully about how to extend their networks and services across the internet and into employees’ and contractors’ homes. This makes remote access security management both a timely and an imperative topic, because it has become the norm for many companies and organizations this year. If we are to believe even the most optimistic of vaccine deployment scenarios, our pandemic situation is likely to persist for at least another six to nine months. That said, many experts think that working from home is the new normal, so even once it’s safe for us all to be together in an office again, there may be no office to go back to. The old ways of working mostly within a secure organizational perimeter are on the way out, so we need to update our security operations for the new reality. How does remote access work? In the simplest of terms, remote access requires that users employ a remote device of some kind to establish a connection to an organizational service. The connection is a communication link that spans the internet from the client or user side to a server or service inside the firewall. For example, Microsoft includes both an old-line application, Remote Desktop Connection, and a new-style Universal Windows Platform (UWP) app, Remote Desktop, in Windows 10. Both use Microsoft’s Remote Desktop Protocol (RDP) to establish a remote connection between a client PC (user device) on one side and a host PC or server (server device) on the other side. Thus, the elements of remote access include the following: A remote access client or application that lets the end-user request access to a remote resource of some kind A remote connection that connects the end-user to the resource, and vice versa A remote host or service to which an end-user can connect, and from which they can request information, services, resources and so forth Securing remote access means securing all elements For a company or organization to meet best security practice requirements for remote access, all elements involved in remote access must be secure. Here’s a checklist of items and capabilities that fall under this large and far-ranging umbrella: Before users obtain remote access, they must be identified and authenticated. The best form of security for identity and authentication nowadays relies on two-factor authentication (2FA) or better, where a user’s cellphone serves admirably to provide a separate channel for ID and authentication traffic, as well as providing a tangible token of identity in and of itself. The client software that users employ for remote access should themselves be secure and free from known technical vulnerabilities or susceptibilities to attack through social engineering. Users working remotely need basic security awareness training to keep them from inadvertently disclosing what the organization wants kept confidential – namely, their account and password information, among other sensitive data. The client software must also be scanned for vulnerabilities (preferably at high frequency, if not continuously) […]

Published December 17, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. Productivity rates are critical to success in any industry. That is true of software products, too, that not only need to be efficiently produced but secure from cyberattacks as well. If you’re considering how to improve your software team’s productivity, then you will want to know the top threats impacting software development team productivity and how to solve them. The following paragraphs address six of them. 1. The Need for Speed The enemy of quality software development is often the unrealistic and impossible deadlines set by project managers. The sleight of hand happens this way: In response to client requests, managers often press developers for delivery estimates. They often push for the lowest possible delivery estimates. The mistake they make, though, comes when they consider those delivery estimates to mean delivery deadlines agreed upon by the developer team. Managers pass along the “deadlines” to senior management, leaving developers feeling stressed, and leading to the developers’ inability to perform at optimum levels. It comes down to managing the client’s expectations. Take the time to make sure that the client understands that a slower work pattern due to rigorous testing results in a better quality product. That communication and understanding can make a world of difference for the development team. 2. Poor Code Quality  Poor code quality appears in various forms. It may mean code that is difficult for other developers or team members to read and therefore affects the ability to make necessary changes. It may mean that the development team rushed to meet deadlines and, in doing so, released the software without testing and without fixing any bugs that existed, or that they could have prevented. Poor code quality decreases production agility and impacts the project’s development over the long-term. Code quality is positively impacted by: Following code standards Testing code Selecting a project manager to monitor project quality. 3. Outdated Technology   Updated technology helps employees do their jobs more efficiently, saves valuable project time, generally keeps customers satisfied, and provides businesses a leg up over their competitors. Successful development teams have the modern tools they need to work quickly and securely.  Price Waterhouse Cooper (PWC) conducted a study of 12,000 people in Canada, China, Hong Kong, the US, the UK, India, Germany, and Mexico. The participants worked in roles ranging from the C-Suite to administration and in various industries. PWC found that 90% of C-Suite Executives believe they take into account the technology their people need to do their jobs. Only 53% of their workers said the same. And while 92% of the C-Suite Execs were satisfied with their company’s experience with the technology provided to carry out the most important projects, only 68% of their workers felt the same way. It’s easy to understand the disconnect. When technology fails, C-Suite Execs hand the problem to someone else to solve. The worker bees are left to deal with the aftermath of outdated technology. 4. The CI/CD Pipeline  As the name implies, the CI/CD Pipeline consists of two components: CI and CD. Continuous integration (CI) refers to the software development practice that requires frequent code checks during software development and producing small code changes as the team discovers them. […]